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About this Book 


The NetIQ Identity Manager (4.8.5.0100) resolves some of the previous issues. This document 
outlines the instructions on how you can apply this patch. 


IMPORTANT: In addition to the patch update, Identity Manager 4.8.5 Patch 1 Common 
Dependencies patch contain updates to NICI and OpenSSL components. For more information, see 
the NetIQ Identity Manager 4.8.5 Patch 1 Common Dependencies Release Notes. 
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About this Book 


1 What's New and Changed? 


Identity Manager 4.8.5.0100 provides the following enhancements and fixes in this release: 


e “Component Updates” on page 7 


e “Software Fixes” on page 7 


Component Updates 


This release adds support for NetIQ Self Service Password Reset (SSPR) 4.5.0.5-1, which now 
supports Apache log4j 2.x. 


Software Fixes 


This release contains software fixes for issues detected in Identity Manager components using Micro 
Focus Fortify Static Code Analyzer. A security vulnerability in a component that uses a third-party 
library and impacts deprecated Identity Manager functionality has also been fixed. 


For fixed issues and details related to User Application driver, see NetIQ Identity Manager User 
Application Driver 4.8.5.0100 Release Notes (https://www.netiq.com/documentation/identity- 
manager-48-drivers/UADriver4.8.5.0100_readme/data/UADriver4.8.5.0100_readme.html). 


In addition, NetIQ Identity Manager provides the following software fixes that resolve previous 
issues in the Identity Applications component: 


The Usage of Extended Characters in User Entity’s DN Attribute 
No Longer Results in a Request Form Error 


When the DN attribute of a User entity contains Cyrillic or other non-Latin characters (such as 
Swedish), the IDVault.get or utils.get functions successfully populate that entity’s data in the 
request form fields. (Defect 489163) 


Roles are Listed Alphabetically on the Users Page 


This release resolves an issue on the Dashboard's Users page wherein the roles of a User were not 
sorted alphabetically after updating Identity Manager to 4.8.4 and 4.8.5 versions. (Defect 
495060) 
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IDVault.get() Function Using a REST Access API call to GET / 
entities/list Works as Expected 


The issue with JSON Forms failing when using the IDVault.get function in Identity Manager 4.8.5 
has been resolved. Instead of entity key, Identity Applications uses the LDAP class associated with 
the entity key as the objectClass in an LDAP filter. (Defect 494201) 


When CEF Auditing is Enabled, eDirectory Shutdown no Longer 
Creates Core Dump 


When Common Event Format (CEF) auditing is enabled, the eDirectory shut down does not result in 
creating core dump. (Defect 329481) 


What's New and Changed? 


) Updating Identity Manager to This Patch 


When two or more Identity Manager components are installed on the same server, you must stop 
the corresponding services before updating to this patch. For example, if Identity Vault and 
iManager are installed on the same server, you must stop the Identity Vault and the iManager 
Tomcat services before performing an update. 


NOTE: You must be on Identity Manager 4.8.5 with Identity Manager 4.8.5 Patch 1 Common 
Dependencies patch at a minimum to apply this patch. 


+ “Updating This Patch on Linux” on page 9 
+ “Updating this Patch on Windows” on page 14 


Updating This Patch on Linux 


This patch requires you to update the following components based on your requirement: 


e “Updating Identity Manager Engine” on page 9 

+ “Updating Remote Loader” on page 11 

+ “Updating Fanout Agent” on page 11 

e “Updating Identity Applications” on page 12 

+ “Updating the SSPR” on page 13 

+ “Updating the iManager” on page 13 

e “Updating Identity Manager Third Party License” on page 14 


Updating Identity Manager Engine 
1 (Conditional) If you are running this patch as a root user, perform the following steps: 
1a Run the following command to stop the Identity Vault instance: 
ndsmanage stopall 


1b Download the Identity Manager 4.8.5 Pl Engine.zip file 


1c Extract the Identity Manager 4.8.5 Pl Engine.zip file 


1d Navigate to the <extracted location>/Engine/Linux/x64 folder and run the 
following commands: 


rpm -Uvh novell-DXMLbasenoarch-4.8.5-0100.x86 64.rpm 
rpm -Uvh novell-DXMLengnx-4.8.5-0100.x86 64.rpm 
rpm -Uvh novell-DXMLeventx-4.8.5-100.x86 64.rpm 


1e (Conditional) If you are running this patch on OES Operating System, navigate to the 
<extracted location>/Linux /x64 and run the following commands: 
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rpm -Uvh --force novell-DXMLbaseno 
rpm -Uvh novell-DXMLengnx-4.8.5-01 
rpm -Uvh novell-DXMLeventx-4.8.5-1 


arch-4.8.5-0100.x86 64. 
00.x86 64.rpm 
00.x86 64.rpm --nodeps 


rpm 


1f Run the following command to start the Identity Vault instance: 


ndsmanage startall 


2 (Conditional) If you are running this patch as a non-root user, perform the following steps: 


2a 
2b 
2c 


2d 


2e 


Download the Identity Manager 4.8.5_ 


Pl Engine. zip file. 


Extract the Identity Manager 4.8.5 Pl Engine. zip file. 


Run the following command to stop the Identity Vault instance: 


ndsmanage stopall 

Set the root directory path for Identity Vault. 
export ROOTDIR='<root directory pa 
For example, 


export ROOTDIR='/home/idvault' 


the" 


Upgrade the RPMs using the following command: 


rpm --dbpath S$ROOTDIR/rpm -Uvh --relocate=/usr=$ROOTDIR/opt/novell/ 


eDirectory --relocate=/etc=SROOTDI 
eDirectory=SROOTDIR/opt/novell/eDi 
dirxml=SROOTDIR/opt/novell/dirxml] 


R/etc --relocate=/opt/novell/ 
rectory --relocate=/opt/novell/ 
--relocate=/var=SROOTDIR/var -- 


badreloc --nodeps --replacefiles / 


For example: 


<path to the new rpms> 


rpm --dbpath /home/idvault/rpm -Uvh --relocate=/usr=/home/idvault/ 


opt/novell/eDirectory --relocate=/ 
relocate=/opt/novell/eDirectory=/h 


tc=/home/idvault/etc -- 
ome/idvault/opt/novell/eDirectory 


--relocate=/opt/novell/dirxml=/hom 
relocate=/var=/home/idvault/var -- 
<location where you extracted the 
Patch>/Engine/ 
rpm --dbpath /home/idvault/rpm 
opt/novell/eDirectory --relocate=/ 


e/idvault/opt/novell/dirxml -- 
badreloc --nodeps --replacefiles 
Identity Manager 4.8.5 Engine 


inux/x64/novell-DXMLbasenoarch-4.8.5-0100.x86 64.rpm 
-Uvh --relocate=/usr=/home/idvault/ 


tc=/home/idvault/etc -- 


relocate=/opt/novell/eDirectory=/h 
--relocate=/opt/novell/dirxml=/hom 
relocate=/var=/home/idvault/var -- 
<location where you extracted the 
Patch>/Engine/ 
rpm --dbpath /home/idvault/rpm 
opt/novell/eDirectory --relocate=/ 


ome/idvault/opt/novell/eDirectory 
e/idvault/opt/novell/dirxml -- 
badreloc --nodeps --replacefiles 
Identity Manager 4.8.5 Engine 


inux/x64/novell-DXMLengnx-4.8.5-0100.x86 64.rpm 
-Uvh --relocate=/usr=/home/idvault/ 


tc=/home/idvault/etc -- 


relocate=/opt/novell/eDirectory=/h 


--relocate=/opt/novell/dirxml=/hom 
relocate=/var=/home/idvault/var -- 
<location where you extracted the 
Patch>/Engine/ 
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ome/idvault/opt/novell/eDirectory 
e/idvault/opt/novell/dirxml -- 
badreloc --nodeps --replacefiles 
Identity Manager 4.8.5 Engine 


inux/x64/novell-XMLeventx-4.8.5-100.x86 64.rpm 


2f Run the following command to start the Identity Vault instance: 


ndsmanage startall 


Updating Remote Loader 


NOTE: Before updating the Remote Loader, ensure that the following components are stopped: 


* 


* 


* 


Remote Loader instance 


Driver instance running with the Remote Loader 


Remote Loader Console 


Download and extract the 


Identity Manager 4.8.5 Pl Engine.zip file. 


Navigate to the <extracted location>/RL/Linux directory. 


(Conditional) If you are running a 64-bit Remote Loader, navigate to the x64 directory and run 


the following commands: 


rpm -Uvh novell-DXMI 
rpm -Uvh novell-DXMI 


Lbasenoarch-4.8.5-0100.x86 64.rpm 
Lrdxmlx-4.8.5-0100.x86 64.rpm 


(Conditional) If you are running a 32-bit Remote Loader, navigate to the x86 directory and run 


the following command: 


rpm -Uvh novell-DXMI 
rpm -Uvh novell-DXMI 


Lbasenoarch-4.8.5-0100.1586. rpm 
Lrdxml-4.8.5-0100.i586.rpm 


Start the Remote Loader instance and the driver instance. 


NOTE: If Remote Loader and Identity Vault are installed on the same machine, you must ensure to 
upgrade the Identity Vault. 


Updating Fanout Agent 


NOTE: Before updating the Fanout Agent, ensure that the following components are stopped: 


* 


* 


Fanout Agent instance 


Driver instance 


Download and extract the 


Identity Manager 4.8.5 Pl Engine.zip file. 


Navigate to the <extracted location>/FanoutAgent/Linux/x64 directory. 


Run the following command to update the rpms below: 


rpm -Uvh novell-DXMI 
rpm -Uvh novell-DXMI 


Start the Fanout Agent ins 


Lbasenoarch-4.8.5-0100.x86 64.rpm 
Lfanoutagent-1.2.6-0100.noarch.rpm 


tance and the driver instance. 


NOTE: You must ensure to upgrade Engine to support the upgraded Fanout Agent. 
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Updating Identity Applications 


1. 


Stop the Tomcat, NGINX, and Golang services by executing the following commands: 
systemctl stop netiq-tomcat.service 
systemctl stop netiq-nginx.service 
systemctl stop netiq-golang.service 


Download and extract the Identity Manager APPS 4.8.5 Pl.zipfile. 


3. Navigate to the <extracted location>/Linux directory. 


10. 


11. 


Back up the IDMProv.war and workflow.war files from the <Identity Applications 
Tomcat installed location>/webapps directory. 


Run the following commands: 


rpm -Uvh netiq-userapp-4.8.5-0100.noarch.rpm 
rpm -Uvh netigq-workflow-l.5.0.0100-1.noarch.rpm 
rpm -Uvh netigq-forms-1.0.5.0100-1.noarch.rpm 


(Conditional) If you install the rpm as root, navigate to the /opt /netiq/idm/apps/tomcat/ 
webapps/ directory and run the following commands to add execute permission and user 
rights for the replaced war files: 


*chmod +x IDMProv.war idmadmin.war idmappsdoc.war idmdash.war 
workflow.war 


*chown -R novlua:novlua IDMProv.war idmadmin.war idmappsdoc.war 
idmdash.war workflow.war 


*chown -R novlua:novlua /opt/netiq/idm/apps/tomcat/conf 


*chown -R novlua:novlua /opt/netiq/idm/apps/sites 


Delete the following from the <Identity Applications Tomcat installed 
location>/webapps directory 


+ IDMProv folder 
* workflow folder 


Delete all the files and directories from the < Identity Applications Tomcat installed 
location>/temp and <Identity Applications Tomcat installed location>/ 
work directories. 


Start the Golang and NGINX services by executing the following commands: 
systemctl start netiq-golang.service 
systemctl start netiq-nginx.service 


(Conditional) If you are using the PostgreSQL database shipped with Identity Manager, run the 
following command to restart PostgreSQL. 


systemctl restart netiq-postgresql.service 
Start the Tomcat service: 


systemctl start netiq-tomcat.service 
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Updating the SSPR 


NOTE: Use this method if SSPR is: 


¢ Installed on a different server than the Identity Applications server. 


* Installed in a Standard Edition. 


1 Stop the Tomcat service: 
systemctl stop netig-tomcat.service 


2 Download and extract the Identity Manager SSPR 4.8.5 Pl.zipfile. 
3 Navigate to the <extracted location>/Linux directory. 


4 Runthe following command: 


rpm -Uvh netiq-sspr-4.5.0.5-1.noarch.rpm 


5 (Conditional) If you install the rpm as root, run the following commands to execute permissions 


and user rights for the replaced war files: 

*chmod +x sspr.war 

*chown -R novlua:novlua sspr.war 
6 Start the Tomcat service: 


systemctl start netiq-tomcat.service 
Updating the iManager 


NOTE: This update procedure is optional if the version of iManager is other than 3.2.6.0200. 


1 Download and extract the iMan 326 P2 linux x86 64.tgz file from the Download site. 


2 Navigate to the <extracted location>\iManager\installs\linux directory. 


3 Run the installer using the following command: 


./iManagerInstallLinux.bin 


Post-Update Steps for iManager 
To update the Identity Manager plug-ins from iManager, perform the following actions: 


1 Log in to iManager. 


2 Navigate to Configure > Plug-in Installation > Available NetIQ Plug-in Modules. 


3 Select the NetIQ Identity Manager iManager 3.2 Plug-ins for IDM 4.8.5.0100 and click Install. 


4 Restart the Tomcat. 
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Updating Identity Manager Third Party License 


1 Navigate to the Identity Manager installed folder on your machine, find the 
IdentityManager-3rdParty-license.txt file location. For example, /opt/netiq/idm/ 
IdentityManager-3rdParty-license.txt. 


2 Download and extract the Identity Manager 4.8.5 Pl Engine.zipfile. 
3 Navigate to the <extracted location>/license directory. 


4 Copy the IdentityManager-3rdParty-license.txt file and replace it with the file in the 
location specified in Step 1. 


Updating this Patch on Windows 


This patch requires you to update the following components based on your requirement: 


e “Updating Identity Manager Engine” on page 14 

+ “Updating Remote Loader” on page 15 

+ “Updating Fanout Agent” on page 16 

e “Updating Identity Applications” on page 16 

+ “Updating the SSPR” on page 17 

e “Updating the iManager” on page 17 

e “Updating Identity Manager Third Party License” on page 18 


Updating Identity Manager Engine 


Stop the Identity Vault service. 


Download the Identity Manager 4.8.5 Pl Engine.zip file. 


Extract the Identity Manager 4.8.5 Pl Engine. zip file. 
Navigate to the location where Identity Vault is installed. For example, C: \NetIQ\IDM\NDS\. 


Back up the dxevent.d1l and dirxml.dim files. 


ao uu A U N F 


Navigate to the lib folder located inside the directory where Identity Vault is installed. For 
example, C:\NetIQ\IDM\NDS\1lib. 


7 Back up the dirxml.jar, dirxml misc, and jetty-all-*.jar files and delete the 
jetty-all-*.jar file. 
8 Navigate to the 
Identity Manager 4.8.5 Pl Engine.zip\Identity Manager 4.8.5 Pl Engine\ 
Engine\Windows\ 64-bit folder. 


9 Copy the dxevent.d1l1 and dirxml.dlm files to the location where Identity Vault is installed. 
For example, C: \NetIQ\IDM\NDS\. 


10 Copy the dirxml.jar,dirxml misc.jar,andjetty-all-*.jar files to the lib folder 
located inside the directory where Identity Vault is installed. For example, 
C:\NetIQ\IDM\NDS\1lib. 


11 Start the Identity Vault service. 


14 Updating Identity Manager to This Patch 


Updating Remote Loader 


NOTE: Before updating the Remote Loader, ensure that you perform the following steps: 


+ Stop the Remote Loader instance 


¢ Stop the Driver instances running with the Remote Loader 


+ Close the Remote Loader Console 


1 Download and extract the Identity Manager 4.8.5 Pl Engine. zip file. 


N 


2a 
2b 


2c 


2d 
2e 


2f 


2g 


(Conditional) If you are running a 64-bit Remote Loader, perform the following steps: 


Download and extract the Identity Manager 4.8.5 Pl Engine file 


Navigate to Remote Loader 64 bit location and backup the dirxml remote files. For 
example, C: \NetIQ\IDM\RemoteLoader\64bit\. 


Navigate to Remote Loader 64 bit library location and backup the dirxml misc.jar, 
dirxml remote.jarandjetty-all-*.jar files. For example, 
C:\NetIQ\IDM\RemoteLoader\64bit\lib 


Navigate to the <extracted location>\RL\Windows\ 64-bit folder. 


Copy dirxml remote file to the Remote Loader 64 bit location. For example, 
C:\NetIQ\IDM\RemoteLoader\64bit. 


Navigate to the Remote Loader 64 bit library location and delete the jetty-all-*.jar 
file. For example, C: \NetIQ\IDM\RemoteLoader\ 64bit\lib. 


Copy lib files from <extracted location>\RL\Windows\1ib folder to the Remote 
Loader 64 bit library location. For example, 
C:\NetIQ\IDM\RemoteLoader\64bit\lib. 


3 (Conditional) If you are running a 32-bit Remote Loader, perform the following steps: 


3a 
3b 


3c 


3d 
3e 


3f 


3g 


Download and extract the Identity Manager 4.8.5 Pl Engine file 


Navigate to 32 bit Remote Loader location and backup the dirxml remote files. For 
example, C: \NetIQ\IDM\RemoteLoader\.Net. 


Navigate to 32 bit Remote Loader library location and backup the dirxml misc. jar, 
dirxml remote.jar,and jetty-all-*.jar files. For example, 
C:\NetIQ\IDM\RemoteLoader\.Net\lib. 


Navigate to the <extracted location>\RL\32-bit folder. 


Copy dirxml_remote file to the Remote Loader 32 bit location. For example, 
C:\NetIQ\IDM\RemoteLoader\32bit. 


Navigate to the Remote Loader 32 bit library location and delete the jetty-all-*.jar 
file. For example, C: Net IOQ\IDM\RemoteLoader\32bit\lib. 


Copy lib files from <extracted location>\RL\Windows\1lib folder to the Remote 
Loader 32 bit library location. For example, C: \NetIQ\IDM\RemoteLoader\32bit\lib 


4 (Conditional) If you are running .Net Remote Loader, perform the following steps: 


4a 
4b 


Download and extract the Identity Manager 4.8.5 Pl Engine file 


Navigate to .NET Remote Loader location and backup the dirxml remote.exe, 
DXMLBase.d1l, DXMLRemote.dll, RemoteLoader.exe, and RemoteLoaderSvc.ex 
files. For example, C: \NetIQ\IDM\RemoteLoader\.Net\. 
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5 


4c Navigate to .NET Remote Loader library location and backup the dirxml misc.jar file. 
For example, C: \NetIQ\IDM\RemoteLoader\.Net\lib. 


4d Navigate to the <extracted location>\RL.NET\Windows\ 64-bit folder. 


4e Copy dirxml remote.exe, DXMLBase.dll, DXMLRemote.dll, RemoteLoader.exe, 
and RemoteLoaderSvc.exe files to the NET location. For example, 
C:\NetIQ\IDM\RemoteLoader\.Net 


4f Navigate to the <extracted location>\RL.NET\Windows\1lib folder. For example, 
C:\NetIQ\IDM\RemoteLoader\RL.NET\Windows\lib. 


4g Copy lib files from <extracted location>\RL.NET\Windows\1ib folder to the NET 
library location. For example, C: \NetIQ\IDM\RemoteLoader\.Net\lib 


Start the Remote Loader instance and the driver instance. 


NOTE: If Remote Loader and Identity Vault are installed on the same machine, you must ensure to 
upgrade the Identity Vault. 


Updating Fanout Agent 


This procedure applies only if Fanout Agent is installed on a standalone server. 


NOTE: Before updating the Fanout Agent, ensure that the following components are stopped: 


* 


* 


Fanout Agent instance 


Driver instance 


Download and extract the Identity Manager 4.8.5 Pl Engine file. 
Navigate to the <extracted location>\FanoutAgent\Windows\1lib directory. 


Copy all the library files to the Fanout Agent Library location. For example, 
C:\NetIQ\IDM\FanoutAgent\lib 


Start the Fanout Agent instance and the driver instance. 


NOTE: You must ensure to upgrade Engine to support the upgraded Fanout Agent. 


Updating Identity Applications 


1 


On your Identity Applications server, press Windows + R on your keyboard, type 
services.msc and select OK to open the Windows Services interface. From the Windows 
services, stop the IDM Apps Tomcat Service, NetIQ Nginx Service, and NetIQ IGA Form Renderer 
Service. 


Back up the IDMProv.war and workflow.war files from the <Identity Applications 
Tomcat installed location>\webapps\ folder. 


Delete the following from the <Identity Applications Tomcat installed 
location>\webapps \ folder: 


* IDMProv.war 


* IDMProv folder 
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* workflow.war 
* workflow folder 
Download and extract the Identity Manager APPS 4.8.5 Pl.zipfile. 


Copy the IDMProv.war and workflow. war files from the extracted location to <Identity 
Applications Tomcat installed location>\webapps\ folder. 


Copy the IGA-form-renderer-server.exe from the extracted location to 
C:\netigq\idm\apps\sites\ folder. 


Delete all the files and folders from the <Identity Applications Tomcat installed 
location>\temp and <Identity Applications Tomcat installed 
location>\work folders. 


(Optional) Navigate to the C: \NetIQ\idm\apps\tomcat\conf\ folder and set 
com.netiq.idm.rbpm.updateConfig-On-StartUp flag to true in the ism- 
configuration. properties file. 


From the Windows services, start the NetIQ IGA Form Renderer Service, NetIQ Nginx Service, 
and IDM Apps Tomcat Service on your Identity Applications server. 


Updating the SSPR 


NOTE: Use this method if SSPR is: 


* 


* 


Installed on a different server than the Identity Applications server. 


Installed in a Standard Edition. 


From the Windows services, stop the Tomcat Service running on your SSPR server. 


Back up the sspr.war file from the <Identity Applications Tomcat installed 
location>\webapps\ folder. 


Download and extract the Identity Manager SSPR 4.8.5 Pl.zipfile. 


Navigate to the <extracted location>/windows directory. 


5 Copy the sspr.war file from the extracted location to < Identity Applications Tomcat 


installed location>\webapps\ folder. 


Delete all the files and folders from the <Identity Applications Tomcat installed 
location>\temp and <Identity Applications Tomcat installed 
location>\work folders. 


From the Windows services, start the IDM Apps Tomcat Service on your Identity 
Applications server. 


Updating the iManager 


NOTE: This update procedure is optional if the version of iManager is other than 3.2.6.0200. 


1 
2 
3 


Download and extract the iMan 326 P2 win x86 64.tgz file from the Download site. 


Navigate to the <extracted location>\iManager\installs\win directory. 


Run the iManagerInstall.exe file. 
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Post Update Steps for iManager 


To update the Identity Manager plug-ins from iManager, perform the following actions: 


1 Log in to iManager. 

2 Navigate to Configure > Plug-in Installation > Available NetIQ Plug-in Modules. 

3 Select the NetIQ Identity Manager iManager 3.2 Plug-ins for IDM 4.8.5.0100 and click Install. 
4 Restart the Tomcat. 


Updating Identity Manager Third Party License 
1 Navigate to the Identity Manager installed folder on your machine, find the 


IdentityManager-3rdParty-license.txt file location. For example, 
C:\NetIQ\IDM\IdentityManager-3rdParty-license.txt 


2 Download and extract the Identity Manager 4.8.5 Pl Engine. zip file. 
3 Navigate to the <extracted location>\license folder. 


4 Copy the IdentityManager-3rdParty-license.txt file and replace it with the file in the 
location specified in Step 1. 
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3 Updating Designer 


You must be on Designer 4.8.5 at a minimum to apply this update. The update process includes the 
following tasks: 


Online Update (using the Auto Update feature) 


You can apply this update using the built-in auto-update feature of Designer. The auto-update 
feature notifies you of new features available at the Designer Download Site. This feature allows you 
to download Designer package and software updates when the computer that has Designer installed 
is connected to the Internet. 

1 Launch Designer. 

2 From Designer's main menu, click Help > Check for Designer Updates. 

3 Click Yes to accept the Designer updates. 


4 Restart Designer for the changes to take effect. 


Offline Update (Using the download page to apply the 
update) 
This service pack includes a Identity Manager 4.8.5 Pl Designer.zip file for updating 
Designer. You also can perform an offline update of Designer when the computer that has Designer 
installed is not connected to the Internet. To perform an offline update, first download this service 


pack on a local or remote computer and then point Designer to the directory containing the 
downloaded files. 


To update Designer in an offline mode, create an offline copy of the Designer update files and then 
configure Designer to read the patch updates from the files copied to the local directory. 


To create an offline copy of the Designer update files: 


1 Log in to the computer where Designer is installed. 
2 Download the Identity Manager 4.8.5 Pl Designer.zip file from the downloads site. 


3 Extract the downloaded files into a local directory. 


To configure Designer to read the patch updates from the local directory: 


1 Launch Designer. 

2 From Designer's main menu, click Windows > Preferences. 

3 Click NetIQ > Identity Manager and select Updates. 

4 For URL, specify file:///media/<path to update file>/updatesitel 0 0/ 


For a Linux mounted ISO, use the following URL format: 
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file:///media/designer4850loffline/updatesitel 0 0/ 


5 Click Apply, then click OK. 
6 From Designer's main menu, click Help > Check for Designer Updates. 
7 Select the required updates and click Yes to accept and update the Designer. 


8 Restart Designer for the changes to take effect. 


20 Updating Designer 


Updating Identity Manager Containers 


This section provides information on updating individual containers of Identity Manager. 
The procedures for updating containers are described in subsequent sections. 


e “Prerequisites for Updating Containers” on page 21 
e “Updating Containers on Distributed Servers” on page 21 


e “Updating Containers on a Single Server” on page 26 


NOTE: You must be on Identity Manager 4.8.5 at a minimum to apply this patch. 


Prerequisites for Updating Containers 


Perform the following steps before you update each of the Identity Manager containers. 


1 (Conditional) Copy the required dependent files to the mount directory. For more information, 


see Handling RPM Updates and Third Party Files. 


2 Stop all the Identity Manager containers. 
docker stop <container name> 
For example, 


docker stop engine-container 


3 Take a back up of the shared directory. The examples in the guide assumes /data as the shared 


directory. 


4 Delete all the Identity Manager containers. 
docker rm <container name> 
For example, 
docker rm engine-container 

5 (Conditional) Delete all obsolete Docker images. 


docker rmi <image ID> 


Updating Containers on Distributed Servers 


The containers must be updated in the following order: 


e “Updating Identity Manager Engine Container” on page 22 
+ “Updating Remote Loader Container” on page 22 


+ “Updating Fanout Agent Container” on page 23 


Updating Identity Manager Containers 


21 


+ “Updating iManager Container” on page 23 
+ “Updating Identity Applications Container” on page 25 
+ “Updating Form Renderer Container” on page 25 


+ “Updating SSPR Container” on page 25 


Updating Identity Manager Engine Container 


1 Create a credentials.properties file under the shared directory /data with the following 
content. 


ID VAULT ADMIN="<ID VAULT ADMIN>" 
ID VAULT PASSWORD="<ID VAULT PASSWORD>" 


where, ID VAULT ADMIN must be in dot format. 


For example, 


ID VAULT ADMIN="admin.sa.system" 
ID VAULT PASSWORD="novell" 


2 (Conditional) To handle any driver RPM updates or third-party files, perform the steps 
mentioned in Handling RPM Updates and Third Party Files. 


3 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


4 Navigate to the docker-images directory. 
5 Runthe following command to load the image: 


docker load --input IDM 485 Pl identityengine.tar.gz 


6 Update the container using the following command if you are deploying the Identity Manager 
Engine using the overlay network: 


docker run -d --ip=192.168.0.12 --network=idmoverlaynetwork -- 
hostname=identityengine.example.com --name=engine-container -v /etc/ 
hosts:/etc/hosts -v /data:/config -p 8028:8028 -p 524:524 -p 389:389 -p 
8030:8030 -p 636:636 -e SILENT INSTALL FILE=/config/ 
credentials.properties --stop-timeout 100 identityengine:idm-4.8.5.0100 


Update the container using the following command if you are deploying the Identity Manager 
Engine using the host network: 


docker run -d --network=host --name=engine-container -v /etc/hosts:/ 
etc/hosts -v /data:/config -e SILENT INSTALL FILE=/config/ 
credentials.properties --stop-timeout 100 identityengine:idm-4.8.5.0100 


Updating Remote Loader Container 


1 (Conditional) To handle any driver RPM updates or third-party files, perform the steps 
mentioned in Handling RPM Updates and Third Party Files. 


2 (Conditional) To start Remote Loader instances automatically with the container, perform the 
steps mentioned in Starting Remote Loader Instances Automatically With Remote Loader 
Container Deployment. 
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3 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


4 Navigate to the docker-images directory. 


5 Runthe following command to load the image: 
docker load --input IDM 485 Pl remoteloader.tar.gz 


6 Deploy the container by running the following command: 


docker run -d --ip=192.168.0.2 --network=idmoverlaynetwork -- 
hostname=remoteloader.example.com -p 8090:8090 --name=rl-container -v / 
etc/hosts:/etc/hosts -v /data:/config --stop-timeout 100 
remoteloader:idm-4.8.5.0100 


The driver files can be found at the /opt/novell/eDirectory/lib/dirxml/classes/ 
directory of the container. 


7 (Conditional) If the Remote Loader instances are not running, start the Remote Loader 
instances. 


Updating Fanout Agent Container 


1 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 

2 Navigate to the docker-images directory. 

3 Runthe following command to load the image: 


docker load --input IDM 485 Pl fanoutagent.tar.gz 


4 Update the container using the following command: 


docker run -d --ip=192.168.0.3 --network=idmoverlaynetwork -- 
hostname=fanoutagent.example.com --name=foa-container -v /etc/hosts:/ 
etc/hosts -v /data:/config --stop-timeout 100 fanoutagent:idm- 
4.8.5.0100 


5 Start Fanout Agent. 


Updating iManager Container 


1 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


2 Navigate to the docker-images directory. 


3 Runthe following command to load the image: 
docker load --input iManager 326 P2.tar.gz 


4 Ensure that the iManager.env file is created and present in the /data directory. 
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# Certificate Public Key Algorithm 

# Allowed Values: RSA, ECDSA256, ECDSA384 
CERTIFICATE ALGORITHM=RSA 

Cipher Suite 

Allowed Values: 

For RSA - NONE, LOW, MEDIUM HIGH 
For ECDSA256 - SUITEB128ONLY 
# For ECDSA384 - SUITEB128, SUITEB192 
CIPHER SUITE=NONE 
# Tomcat Server HTTP Port 

TOMCAT HTTP PORT=8080 

# Tomcat Server SSL Port 

TOMCAT SSL PORT=8743 

# iManager Authorized User (admin name.container name.tree name) 
AUTHORIZED USER= 


Sh Sk SR SR 


Update the container using the following command: 


docker run -d --ip=192.168.0.4 --name=iman-container -- 
network=idmoverlaynetwork --hostname=imanager.example.com -v /etc/ 
hosts:/etc/hosts -v /data:/config -v /data/iManager.env:/etc/opt/ 
novell/iManager/conf/iManager.env -p 8743:8743 --stop-timeout 100 
imanager:3.2.6-p2 


(Conditional) If you have already installed Identity Manager, run the following command to 
check whether the plug-ins are loaded. 


docker log <container name> 
For example, 
docker log <iman-container> 


To install the Identity Manager plug-ins, perform the following steps: 
7a Log in to iManager. 
https://imanager.example.com:8743/nps/ 
7b Click Configure. 
7c Click Plug-in Installation and then click Available NetIQ Plug-in Modules. 
7d Select the NetIQ Identity Manager iManager 3.2 Plug-ins for IDM 4.8.5.0100 and click Install. 
To obtain the plug-ins offline, perform the following steps: 


1. Download the Identity Manager 4.8.5 Linux.iso from the NetIQ Downloads 
website. 


2. Mount the downloaded . iso. 


3. From the mounted location, navigate to the /iManager/plugins directory and obtain 
the required plug-ins. 


Alternatively, you can install the plug-ins from the iManager plug-ins website. 


Restart the iManager container. 


docker restart iman-container 
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Updating Identity Applications Container 
1 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 
2 Navigate to the docker-images directory. 


3 Runthe following command to load the image: 


docker load --input IDM 485 Pl identityapplication.tar.gz 


4 Update the container using the following command: 


docker run -d --ip=192.168.0.7 --network=idmoverlaynetwork -- 
hostname=identityapps.example.com -p 18543:18543 --name=idapps- 
container -v /etc/hosts:/etc/hosts -v /data:/config --stop-timeout 100 
identityapplication:idm-4.8.5.0100 


Updating Form Renderer Container 


1 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


2 Navigate to the docker-images directory. 


3 Runthe following command to load the image: 
docker load --input IDM 485 Pl formrenderer.tar.gz 
4 Update the container using the following command: 


docker run -d --ip=192.168.0.8 --network=idmoverlaynetwork -- 
hostname=formrenderer.example.com -p 8600:8600 --name=fr-container -v / 
etc/hosts:/etc/hosts -v /data:/config --stop-timeout 100 
formrenderer:idm-4.8.5.0100 


Updating SSPR Container 


1 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


2 Navigate to the docker-images directory. 


3 Run the following command to load the image: 
docker load --input IDM 485 Pl sspr.tar.gz 


4 Update the container using the following command: 


docker run -d --ip=192.168.0.11 --network=idmoverlaynetwork -- 
hostname=sspr.example.com --name=sspr-container -v /etc/hosts:/etc/ 
hosts -v /data/sspr:/config -p 8443:8443 --stop-timeout 100 sspr/sspr- 
webapp: latest 
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Updating Containers on a Single Server 


The containers must be updated in the following order: 


e “Updating Identity Manager Engine Container” on page 26 
+ “Updating Remote Loader Container” on page 26 

+ “Updating Fanout Agent Container” on page 27 

+ “Updating iManager Container” on page 27 

e “Updating Identity Applications Container” on page 28 

+ “Updating Form Renderer Container” on page 29 


e “Updating SSPR Container” on page 29 


Updating Identity Manager Engine Container 


1 Create a credentials.properties file under the shared directory /data with the following 
content. 


ID VAULT ADMIN="<ID VAULT ADMIN>" 
ID VAULT PASSWORD="<ID VAULT PASSWORD>" 


where, ID VAULT ADMIN must be in dot format. 


For example, 


ID VAULT ADMIN="admin.sa.system" 
ID VAULT PASSWORD="novell" 


2 (Conditional) To handle any driver RPM updates or third-party files, perform the steps 
mentioned in Handling RPM Updates and Third Party Files. 


3 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


4 Navigate to the docker-images directory. 
5 Runthe following command to load the image: 
docker load --input IDM 485 Pl identityengine.tar.gz 


6 Update the container using the following command: 


docker run -d --network=host --name=engine-container -v /etc/hosts:/ 
etc/hosts -v /data:/config -e SILENT INSTALL FILE=/config/ 
credentials.properties --stop-timeout 100 identityengine:idm-4.8.5.0100 


Updating Remote Loader Container 


1 (Conditional) To handle any driver RPM updates or third-party files, perform the steps 
mentioned in Handling RPM Updates and Third Party Files. 


2 (Conditional) To start Remote Loader instances automatically with the container, perform the 
steps mentioned in Starting Remote Loader Instances Automatically With Remote Loader 
Container Deployment. 
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Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


Navigate to the docker-images directory. 


Run the following command to load the image: 
docker load --input IDM 485 Pl remoteloader.tar.gz 
Update the container using the following command: 


docker run -d --network=host --name=rl-container -v /data:/config -- 
stop-timeout 100 remoteloader:idm-4.8.5.0100 


For example: 


docker run -d --network=host --name=rl-container -v /data:/config -- 
stop-timeout 100 remoteloader:idm-4.8.5.0100 


The driver files can be found at the /opt/novell/eDirectory/lib/dirxml/classes/ 
directory of the container. 


(Conditional) If the Remote Loader instances are not running, start the Remote Loader 
instances. 


Updating Fanout Agent Container 


1 


Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


Navigate to the docker-images directory. 


Run the following command to load the image: 
docker load --input IDM 485 Pl fanoutagent.tar.gz 
Update the container using the following command: 


docker run -d --network=host --name=foa-container -v /data:/config -- 
stop-timeout 100 fanoutagent:idm-4.8.5.0100 


Start Fanout Agent. 
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Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


Navigate to the docker-images directory. 


Run the following command to load the image: 
docker load --input iManager 326 P2.tar.gz 


Ensure that the iManager . env file is created and present in the /data directory. 
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# Certificate Public Key Algorithm 

# Allowed Values: RSA, ECDSA256, ECDSA384 
CERTIFICATE ALGORITHM=RSA 

Cipher Suite 

Allowed Values: 

For RSA - NONE, LOW, MEDIUM HIGH 
For ECDSA256 - SUITEB128ONLY 
# For ECDSA384 - SUITEB128, SUITEB192 
CIPHER SUITE=NONE 
# Tomcat Server HTTP Port 

TOMCAT HTTP PORT=8080 

# Tomcat Server SSL Port 

TOMCAT SSL PORT=8743 

# iManager Authorized User (admin name.container name.tree name) 
AUTHORIZED USER= 


Sh Sk SR SR 


Update the container using the following command: 


docker run -d --network=host --name=iman-container -v /data:/config -v 
/data/iManager.env:/etc/opt/novell/iManager/conf/iManager.env --stop- 
timeout 100 imanager:3.2.6-p2 


To install the Identity Manager plug-ins, perform the following steps: 
6a Log in to iManager. 
https://identitymanager.example.com:8743/nps/ 
6b Click Configure. 
6c Click Plug-in Installation and then click Available NetIQ Plug-in Modules. 
6d Select the NetIQ Identity Manager iManager 3.2 Plug-ins for IDM 4.8.5.0100 and click Install. 
To obtain the plug-ins offline, perform the following steps: 


1. Download the Identity Manager 4.8.5 Linux.iso from the NetIQ Downloads 
website. 


2. Mount the downloaded . iso. 


3. From the mounted location, navigate to the /iManager/plugins directory and obtain 
the required plug-ins. 


Alternatively, you can install the plug-ins from the iManager plug-ins website. 


Restart the iManager container. 


docker restart iman-container 
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Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


Navigate to the docker-images directory. 


Run the following command to load the image: 


docker load --input IDM 485 Pl identityapplication.tar.gz 
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4 Update the container using the following command: 


docker run -d --network=host --name=idapps-container -v /data:/config - 
-stop-timeout 100 identityapplication:idm-4.8.5.0100 


Updating Form Renderer Container 


1 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


2 Navigate to the docker-images directory. 


3 Runthe following command to load the image: 
docker load --input IDM 485 Pl formrenderer.tar.gz 
4 Update the container using the following command: 


docker run -d --network=host --name=fr-container -v /data:/config -- 
stop-timeout 100 formrenderer:idm-4.8.5.0100 


Updating SSPR Container 


1 Navigate to the location where you have extracted the 
Identity Manager 4.8.5 Pl Containers.tar.gz file 


2 Navigate to the docker-images directory. 


3 Runthe following command to load the image: 
docker load --input IDM 485 Pl sspr.tar.gz 
4 Update the container using the following command: 


docker run -d --network=host --name=sspr-container -v /data/sspr:/ 
config --stop-timeout 100 sspr/sspr-webapp:latest 
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Updating Identity Manager Containers on 
Microsoft Azure 


This section provides information on updating the Identity Manager containers to this patch on 
Azure. 


IMPORTANT: You must have a machine with docker installed and running, Azure-CLI installed to 
perform the following steps. 


1 Download the Identity Manager 4.8.5 Pl Containers.tar.gz file 


2 Run the following command to extract the .tar.gz file: 
tar -zxvf Identity Manager 4.8.5 Pl Containers.tar.gz 

3 Upload images to Azure Container Registry using the following command: 
Run ACRUpdate.sh 


4 Upgrade Engine Container. 
1. To connect to Engine virtual machine through Bastion service, perform the following steps: 
a. Create Bastion service. 
i. Go to the Azure portal, and click All Resources. 
ii. Select the Identity Engine associated with your Resource Group. 
iii. Click Connect. 
iv. Click Bastion. 
v. Once the subnet is created, click Create Azure Bastion using default values. 
b. Access Engine virtual machine password. 
i. Open Key vault in your resource group. 
ii. Go to Secrets > Settings. 
iii. Click slesvmpwd. 
iv. Click on the current version. 
v. Copy the secret value. 
c. Connect to bastion. 
i. Select Engine virtual machine in your Resource Group. 
ii. Select operations > bastion. 
iii. After creating the bastion, enter "azureuser" as username 
iv. Paste the copied password and click Connect. 
d. Run bash as superuser using the following command: 


sudo bash 
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2. Connect to Azure Container Registry using the following command: 
docker login <ACR_url> -u <ACR_user> -p <ACR_password> 


3. Pull Engine 4.8.5.0100 images from Azure Container Registry using the following 
command: 


docker pull <ACR_url>/identityengine:idm-4.8.5.0100 
4. Stop Engine Container using the following command: 

docker stop engine-container 
5. Remove Engine Container and image using the following commands: 


docker rm engine-container 
docker rmi <ACR_url>/identityengine:idm-4.8.5 


6. Start Engine Container using the following command: 


docker run -d --network=host --name=engine-container -- 
hostname=<VM hostname> --restart=unless-stopped -v /data:/config -e 
SILENT INSTALL FILE=/config/silent.properties <ACR url>/ 
identityengine:idm-4.8.5.0100 


7. Delete Bastion and the associated IP. 
5 Upgrade components in Kubernetes. 
1. Upload Helm Charts to Azure portal. 


2. Run the Helm Chart using the following command: 


helm upgrade identity-manager helmcharts/identity-manager- 
1.0.1.tgz --namespace <Kubernetes namespace> --values values.yaml 
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Known Issues 


NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise 
software needs. There are no new issues other than the issues mentioned in NetIQ Identity Manager 
4.8.5 Release Notes. If you need further assistance with any issue, contact Technical Support. 
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